Novell Doc: ZENworks 11 ZENworks Control Center Reference

6.5 Rights Descriptions

When you create additional administrator accounts you can provide full access to your zone or you can create accounts with limited rights. For example, you could create an administrator account that enables the administrator to assign bundles to devices but doesn’t allow the administrator to create bundles, or you could create an administrator account that allows access to all management tasks except those pertaining to Management Zone configuration (user sources, registration, configuration settings, and so forth). For information about creating additional administrators, see Creating Administrators.

For Administrator roles only, a third column of rights options is added to each rights assignment dialog box: Unset, which allows rights set elsewhere in ZENworks to be used for the role.

The most restrictive right set in ZENworks prevails. Therefore, if you select the Deny option, the right is denied for any administrator assigned to that role, even if the administrator is granted that right elsewhere in ZENworks.

If you select the Allow option and the right has not been denied elsewhere in ZENworks, the administrator has that right for the role.

If you select the Unset option, the administrator is not granted the right for the role unless it is granted elsewhere in ZENworks.

You can also add, modify, or remove the assigned rights for an existing administrator. For more information, see Section 6.2.2, Assigning Additional Rights, Section 6.2.3, Modifying Assigned Rights, or Section 6.2.4, Removing Assigned Rights.

The following sections contain additional information about the various rights that you can assign:

6.5.1 Administrator Rights

The Administrator Rights dialog box lets you allow the selected administrator to grant rights to other administrators and to create or delete administrator accounts for your Management Zone.

The following rights are available:

RIGHT	OPERATIONS CONTROLLED BY THE RIGHT	NOTES
Grant Rights	Assign rights to an administrator or administrator group Remove rights from an administrator or administrator group Assign roles to an administrator or administrator group Remove roles from an administrator or administrator group	To grant any object rights to other administrators, an administrator must have the Grant Rights and the rights for that object. For example, to grant bundle rights to other administrators, an administrator must have both the Grant Rights and the Bundle Rights.
Create/Delete	Create an administrator Rename an administrator Set/reset an administrator’s password Delete an administrator
Create/Delete Groups	Create an administrator group Delete an administrator group
Modify Groups	Add administrators to a group Remove administrators from a group

6.5.2 Bundle Rights

The Bundle Rights dialog box lets you control the bundle operations that the selected administrator can perform.

Contexts

Specify the Bundle folders (contexts) that you want the administrator’s Bundle rights to apply to. To select a folder, click Add to display the Contexts dialog box, browse for and select the folder (or multiple folders), then click OK. The rights also apply to the folder’s subfolders.

Privileges

The Privileges section lets you grant the selected administrator rights to create or modify bundles, groups, and folders listed in the Contexts section.

The following rights are available:

RIGHT	OPERATIONS CONTROLLED BY THE RIGHT	NOTES
Modify Groups	Rename a bundle group Change a bundle group’s description
Create/Delete Groups	Create a bundle group Delete a bundle group Move a bundle group	Setting the Create/Delete Groups right to Allow forces the Modify Groups right to Allow. This means that an administrator who creates a group also receives rights to modify it.
Modify Group Membership	Add bundles to a group Remove bundles from a group Reorder bundles within a group
Modify Folders	Rename a bundle folder Change a bundle folder’s description
Create/Delete Folders	Create a bundle folder Delete a bundle folder Move a bundle folder	Setting the Create/Delete Folders right to Allow forces the Modify Folders right to Allow. This means that an administrator who creates a folder also receives rights to modify it.
Author	Create a bundle (Sandbox version) For Sandbox bundles: Edit settings on a bundle’s Summary tab Edit settings on a bundle’s Requirements tab Edit settings on a bundle’s Actions tab Rename a bundle Move a bundle from one folder to another Copy system requirements from one bundle to another Delete a bundle Enable/disable a bundle Publish (copy) a bundle to a new bundle (Sandbox version)
Publish	Publish a bundle as a new version or a new bundle Edit settings on a bundle’s Summary tab Edit settings on a bundle’s Requirements tab Edit settings on a bundle’s Actions tab Rename a bundle Move a bundle from one folder to another Copy system requirements from one bundle to another Delete a bundle Enable/disable a bundle Publish (copy) a bundle to a new bundle (Sandbox version)	Setting the Publish right to Allow forces the Author right to Allow. This means that an administrator who can publish bundles can also author bundles.
Modify Settings	Edit settings on a bundle’s Settings tab with the following exception: Cannot create or add system variables (System Variables setting) on bundles	This right applies to bundles and bundle folders. It does not apply to bundle groups because bundle groups do not have a Settings tab.
Assign Bundles	Assign bundles to devices, device groups, and device folders Assign bundle groups to devices, device groups, and device folders Assign bundles to users, user groups, and user folders Assign bundle groups to users, user groups, and user folders Remove bundle assignments from the objects listed above Remove bundle group assignments from the objects listed above	To assign bundles to devices, groups, and folders, an administrator needs this right and the Device Rights – Assign Bundles right. In other words, the administrator needs Assign Bundle rights for the bundle and the device to which the bundle is being assigned. To assign bundles to users, groups, and folders, an administrator needs this right and the User Rights – Assign Bundles right. In other words, the administrator needs Assign Bundle rights for the bundle and the user to which the bundle is being assigned.

6.5.3 Contract Management Rights

The Contract Management Rights dialog box lets you control the operations that the selected administrator can perform to manage contracts.

Contexts

Specify the Contract Management folders (contexts) that you want the administrator’s Contract Management rights to apply to. To select a folder, click Add to display the Contexts dialog box, browse for and select the folder (or multiple folders), then click OK. The rights also apply to the folder’s subfolders.

Privileges

The Privileges section lets you grant the selected administrator rights to contracts and folders listed in the Contexts section.

The following rights are available:

RIGHT	OPERATIONS CONTROLLED BY THE RIGHT	NOTES
Modify	Change contract details, with the following exceptions: Date Notification changes also require Create/Delete rights Change default Date Notification settings Add relationships (Workstation/Server Devices, Network Devices, Licence Entitlements, Users, Sites, Cost Centers, and Departments) to contracts Remove relationships from contracts	To add or remove a license entitlement relationship, an administrator must have this right and the License Management Rights – Modify right. In other words, an administrator needs Modify rights to both the contract and the license entitlement.
Create/Delete	Create a new contract Copy a contract to create a new contract Move a contract to a different folder Delete a contract Create a Date Notification Change a Date Notification Move a Date Notification to a different folder Delete a Date Notification
Modify Folders	Change a folder’s description
Create/Delete Folders	Create a folder Delete a folder Move a folder to another folder	To move a folder, an adminstrator must have this right and the Create/Delete right.

Access to Contract Management reports is controlled through Asset Management Report Rights. For details, see Section 6.5.24, Asset Management Report Rights.

6.5.4 Credential Rights

The Credential Rights dialog box lets you control the operations that the selected administrator can perform to manage credentials.

Contexts

Specify the Credential folders (contexts) that you want the administrator’s Credential rights to apply to. To select a folder, click Add to display the Contexts dialog box, browse for and select the folder (or multiple folders), then click OK. The rights also apply to the folder’s subfolders.

Privileges

The Privileges section lets you grant the selected administrator rights to create or modify credentials, groups, and folders listed in the Contexts section.

The following rights are available:

RIGHT	OPERATIONS CONTROLLED BY THE RIGHT	NOTES
Modify	Rename a credential Change a credential’s login name Change a credential’s password Change a credential’s description
Create/Delete	Create a credential Move a credential to a different folder Delete a credential
Modify Folders	Rename a credential folder Change a folder’s description	To rename a folder, an administrator must have this right and the Modify right.
Create/Delete Folders	Create a credential folder Delete a credential folder Move a credential folder to another folder	To move a folder, an administrator must have this right and the Create/Delete right.

For more information about the tasks you can perform on credentials, see Section 10.0, Using the Credential Vault.

6.5.5 Deployment Rights

Deployment lets you discover network devices and deploy the ZENworks Adaptive Agent to them so that they become managed devices in your Management Zone. For more information, see ZENworks Adaptive Agent Deployment in the ZENworks 11 Discovery, Deployment, and Retirement Reference.

The Deployment Rights dialog box lets you control the selected administrator’s ability to perform deployment operations.

The following right is available:

RIGHT	OPERATIONS CONTROLLED BY THE RIGHT	NOTES
Deployment	Create a deployment task Launch a deployment task Abort a deployment task Rename a deployment task Modify all deployment task settings Delete a deployment task Edit a deployment package Import devices from a CSV file into the Deployable Devices list Delete devices from the Deployable Devices list

6.5.6 Device Rights

The Device Rights dialog box lets you control the operations that the selected administrator can perform on devices.

Contexts

Specify the Device folders (contexts) that you want the administrator’s Device rights to apply to. To select a folder, click Add to display the Contexts dialog box, browse for and select the folder (or multiple folders), then click OK. The rights also apply to the folder’s subfolders.

Privileges

The Privileges section lets you grant the selected administrator rights to work with devices, including device groups and folders listed in the Contexts section.

The following rights are available:

RIGHT	OPERATIONS CONTROLLED BY THE RIGHT	NOTES
Modify	Retire a device Rename a device Acknowledge device messages Change a device to a test device Change a test device to a non-test device Copy device settings (from the Settings tab) to other devices View and edit a device’s detailed inventory (Detailed Software Hardware Inventory link on the Inventory tab)	To copy device settings, the administrator also needs the Modify Settings right.
Create/Delete	Create managed devices by importing device information from a CSV file Create managed devices by manually adding device information Delete a device Move a device
Modify Groups	Rename a device group Change a device group’s description	To change device group’s description, an administrator needs this right and the Modify right.
Create/Delete Groups	Create a device group Delete a device group Move a device group	Setting the Create/Delete Groups right to Allow forces the Modify Groups right to Allow. This means that an administrator who creates a group also receives rights to modify it.
Modify Group Membership	Add devices to a device group Remove devices from a device group Change criteria for a dynamic device group
Modify Folders	Rename a device folder Change a device folder’s description
Create/Delete Folders	Create a device folder Delete a device folder Move a device folder	Setting the Create/Delete Folders right to Allow forces the Modify Folders right to Allow. This means that an administrator who creates a folder also receives rights to modify it.
Modify Settings	Edit settings on a device’s Settings tab	This right applies to devices and device folders. It does not apply to device groups because device groups do not have a Settings tab.
Assign Bundles	Assign bundles to devices, device groups, and device folders Assign bundle groups to devices, device groups, and device folders Remove bundle assignments from the objects listed above Remove bundle group assignments from the objects listed above	To assign bundles to devices, groups, and folders, an administrator needs this right and the Bundle Rights – Assign Bundles right. In other words, the administrator needs Assign Bundle rights for the bundle and the device to which the bundle is being assigned.
Assign Policies	Assign policies to devices, device groups, and device folders Assign policy groups to devices, device groups, and device folders Remove policy assignments from the objects listed above Remove policy group assignments from the objects listed above	To assign policies to devices, groups, and folders, an administrator needs the following rights: Assign Policies (this right) Policy Rights - Assign Policies Policy Rights - Manage Configuration Policies or Policy Rights - Manage Security Policies In other words, an administrator needs Assign Policy rights for the policy and the device to which the policy is being assigned, and he needs the Manage Configuration Policies or Manage Security Policies right depending on whether the policy is a Configuration or Security policy.
Assign Locations	Assign locations and network environments to devices and device folders Assign startup locations and network environments to devices and device folders	This right does not apply to device groups because device groups do not have a Locations tab.
View Detailed Inventory	View a devices detailed inventory (Detailed Software/Hardware Inventory link on Inventory tab)	This right controls view-only access. If you want an administrator to be able to edit the detailed inventory, the administrator needs the Modify right.
Manage ERI	Download a device’s ERI file View an ERI file’s password Delete an ERI file

6.5.7 Discovery Rights

The Discovery Rights dialog box lets you control the selected administrator’s ability to perform discovery operations.

The following rights are available:

RIGHT	OPERATIONS CONTROLLED BY THE RIGHT	NOTES
Discovery	Create a discovery task Launch a discovery task Abort a discovery task Rename a discovery task Modify all discovery task settings Delete a discovery task Discover advertised devices (devices that have the ZENworks preagent installed, such as OEM devices or unregistered devices)
Edit Discovered Devices	Edit the following properties for discovered devices: Discovered Type Network Type Operating System Vendor Operating System Category Operating System Platform Support/Service Pack

6.5.8 Document Rights

The Document Rights dialog box lets you control the operations that the selected administrator can perform to manage documents.

Contexts

Specify the Document folders (contexts) that you want the administrator’s Document rights to apply to. To select a folder, click Add to display the Contexts dialog box, browse for and select the folder (or multiple folders), then click OK. The rights also apply to the folder’s subfolders.

Privileges

The Privileges section lets you grant the selected administrator rights to create or modify documents and their folders listed in the Contexts section.

The following rights are available:

RIGHT	OPERATIONS CONTROLLED BY THE RIGHT	NOTES
Modify	Change a document’s details: Document ID Path Source Location As-Of-Date Description Download and open a document Add and remove relationships with contracts Add and remove relationships with license entitlements Add and remove relations with purchase summary records	To add and remove relationships with contracts, an administrator must also have the Contract Management Rights – Modify right. In other words, an administrator needs Modify rights to both the document and the contract. To add and remove relationships with license entitlements and purchase summary records, an administrator must also have the License Management Rights – Modify right. In other words, an administrator needs Modify rights to both the document and the license entitlement or purchase summary record.
Create/Delete	Upload a new document so that it is available from the ZENworks Server Link (hyperlink) to a new document Move a document to a different folder Delete a document
Modify Folders	Change a folder’s description
Create/Delete Folders	Create a folder Delete a folder Move a folder to another folder	To move a folder, an administrator must have this right and the Create/Delete right.

6.5.9 Inventoried Device Rights

The Inventoried Device Rights dialog box lets you control the operations that an administrator can perform on inventoried devices.

Contexts

Specify the Inventoried Device folders (contexts) that you want the administrator’s Inventoried Device rights to apply to. To select a folder, click Add to display the Contexts dialog box, browse for and select the folder (or multiple folders), then click OK. The rights also apply to the folder’s subfolders.

Privileges

The Privileges section lets you grant the selected administrator rights to work with inventoried devices, including device folders listed in the Contexts section.

The following rights are available:

RIGHT	OPERATIONS CONTROLLED BY THE RIGHT	NOTES
Modify	Retire an inventoried device Rename an inventoried device Edit a device’s detailed inventory (Detailed Software Hardware Inventory link on the Inventory tab)
Create/Delete	Create an inventoried device Delete an inventoried device Move an inventoried device	To create an inventoried device, an administrator also requires the Device Rights – Create/Delete right so that he has access to the Create Portable Client and Import Inventory tasks.
Modify Groups	None	This right has no operational effect when assigned to an administrator.
Create/Delete Groups	None	This right has no operational effect when assigned to an administrator.
Modify Group Membership	None	This right has no operational effect when assigned to an administrator.
Modify Folders	Rename a device folder Change a device folder’s description
Create/Delete Folders	Create a device folder Delete a device folder Move a device folder	Setting the Create/Delete Folders right to Allow forces the Modify Folders right to Allow. This means that an administrator who creates a folder also receives rights to modify it.
View Detailed Inventory	View a devices detailed inventory (Detailed Software/Hardware Inventory link on Inventory tab)	This right controls view-only access. If you want an administrator to be able to edit the detailed inventory, the administrator needs the Modify right.

6.5.10 LDAP Import Rights

The LDAP Import Rights dialog box lets you control the selected administrator’s ability to import LDAP information.

The following right is available:

RIGHT	OPERATIONS CONTROLLED BY THE RIGHT	NOTES
LDAP Import	Create a an LDAP import task; the task imports data from an LDAP source and uses it to populate device inventory information in ZENworks Control Center Rename an LDAP import task Delete an LDAP import task Launch an LDAP import task Abort an LDAP import task View results of an LDAP import task Modify tasks settings	The LDAP Import feature is located in Configuration > Asset Inventory tab > LDAP Import Tasks

6.5.11 License Management Rights

The License Management Rights dialog box lets you control the operations that the selected administrator can perform to manage licenses.

Contexts

Specify the License Management folders (contexts) that you want the administrator’s License Management rights to apply to. To select a folder, click Add to display the Contexts dialog box, browse for and select the folder (or multiple folders), then click OK. The rights also apply to the folder’s subfolders.

Privileges

The Privileges section lets you grant the administrator rights to work with the software license components associated with the contexts (folders) you selected in the Contexts section

The following rights are available:

RIGHT	OPERATIONS CONTROLLED BY THE RIGHT	NOTES
Modify	For purchase records: Change purchase record details Create, edit, and delete purchase details for existing purchase records For catalog products: Change catalog product details Add a catalog product to a licensed product Include or exclude a catalog product from being able to be added to a licensed product For licensed products: Change licensed product details Allocate licensed products to devices Remove licensed product allocations from devices Refresh compliance status Use auto-reconcile to add discovered products and catalog products to existing licensed products For discovered products: Include or exclude a discovered product from being able to be added to a licensed product Add a discovered product to a licensed product or to a software collection Assign a Standards category to a discovered product Refresh compliance status Change the usage period For software collections: Change a software collection’s details Add discovered products to a software collection Remove discovered products from a software collection
Create/Delete	For purchase records: Create a new purchase record Import purchase records from a file Move a purchase record from one folder to another Move a purchase record from one folder to another For catalog products: Create a new catalog product Move a catalog product from one folder to another Delete a catalog product For licensed products: Create a new licensed product Auto-reconcile to create new licensed products from discovered products Merge two or more licensed products into one Move a licensed product from one folder to another Delete a licensed product For software collections: Create a new software collection Move a software collection from one folder to another Delete a software collection
Modify Folders	Change a folder’s description
Create/Delete Folders	Create a folder Delete a folder Move a folder to another folder	To move a folder, an adminstrator must have this right and the Create/Delete right.

Access to License Management reports is controlled through Asset Management Report Rights. For details, see Section 6.5.24, Asset Management Report Rights.

6.5.12 Location Rights

The Location Rights dialog box lets you control the operations the selected administrator can perform on locations and network environments.

The following rights are available:

RIGHT	OPERATIONS CONTROLLED BY THE RIGHT	NOTES
Modify	For locations: Rename a location Reorder locations (move up/down) Add network environments to a location Remove network environments from a location Reorder network environments for a location (move up/down) Change a location’s description Configure a location’s closest servers (Servers page) Modify the location’s settings (Settings page) Change the “Duration to Honor” setting for the startup location For network environments: Rename a network environment Change a network environment’s description Modify a network environment’s match criteria (network services) Configure a network environment’s closest servers (Servers page) Modify a network environment’s settings (Settings page)
Create/Delete	Create a location Delete a location Create a network environment Delete a network environment

6.5.13 Patch Management Rights - Device

Patch Management rights are configurable at two levels: zone and device. The zone-level Patch Management rights (see Section 6.5.14, Patch Management Rights - Zone) control the operations that are available on the Patch Management page and on device objects, while the device-level Patch Management rights control only the operations available on device objects.

Contexts

Specify the Device folders (contexts) that you want the administrator’s Patch Management rights to apply to. To select a folder, click Add to display the Contexts dialog box, browse for and select the folder (or multiple folders), then click OK. The rights also apply to the folder’s subfolders.

Privileges

The Privileges section lets you grant the administrator rights to perform Patch Management operations associated with the contexts (folders) you selected in the Contexts section

The following rights are available:

RIGHT	OPERATIONS CONTROLLED BY THE RIGHT	NOTES
Patch Deploy	Deploy a patch to a device Deploy a patch to a device group	An administrator must have this right and Bundle Rights for the patch bundle being deployed.
Assign a Baseline	Assign a patch to a device group’s mandatory baseline of patches
Remove from Baseline	Remove a patch from a device group’s mandatory baseline of patches
View Patch Details	View information for a patch that is listed in a device’s Patches list
Recalculate Baseline	Initiate an immediate check of all devices in a device group to evaluate baseline patch compliance and apply the required baseline patches if necessary
Export Patch	Export patch information to a CSV file for one or more patches selected from a device’s Patches list

6.5.14 Patch Management Rights - Zone

Patch Management rights are configurable at two levels: zone and device. The zone-level Patch Management rights control the operations that are available on the Patch Management page and on device objects, while the device-level Patch Management rights (see Section 6.5.13, Patch Management Rights - Device) control only the operations available on device objects.

The following zone-level Patch Management rights are available:

RIGHT	OPERATIONS CONTROLLED BY THE RIGHT	NOTES
Patch Deploy	Deploy a patch to a device Deploy a patch to a device group Deploy a patch to a device folder	An administrator must have this right and Bundle Rights for the patch bundle being deployed.
Patch Enable	Enable a patch to be deployed
Patch Disable	Disable a patch so it can’t be deployed
Patch Update Cache	Update a patch in the ZENworks Server cache by downloading the patch from the subscription service
Assign a Baseline	Assign a patch to a device group’s mandatory baseline of patches
Remove from Baseline	Remove a patch from a device group’s mandatory baseline of patches
View Patch Details	View information for a patch that is listed in a device’s Patches list
Export Patch	Export patch information to a CSV file for one or more patches selected from a device’s Patches list
Scan Now	Initiate a patch detection scan (DAU task) on devices
Remove Patch	Remove a patch from a device
Recalculate Baseline	Initiate an immediate check of all devices in a device group to evaluate baseline patch compliance and apply the required baseline patches if necessary
Configure	Configure the Patch Management zone settings (Configuration > Management Zone Settings > Patch Management)

6.5.15 Policy Rights

The Policy Rights dialog box lets you control the operations that the selected administrator can perform on policies.

Contexts

Specify the Policy folders (contexts) that you want the administrator’s Policy rights to apply to. To select a folder, click Add to display the Contexts dialog box, browse for and select the folder (or multiple folders), then click OK. The rights also apply to the folder’s subfolders.

Privileges

The Privileges section lets you grant the selected administrator rights to work with policies, including policy groups and folders listed in the Contexts section

The following rights are available:

RIGHT	OPERATIONS CONTROLLED BY THE RIGHT	NOTES
Modify Groups	Rename a policy group Change a policy group’s description
Create/Delete Groups	Create a policy group Delete a policy group Move a policy group	Setting the Create/Delete Groups right to Allow forces the Modify Groups right to Allow. This means that an administrator who creates a group also receives rights to modify it.
Modify Group Membership	Add policies to a group Remove policies from a group Reorder policies within a group	In addition to this right, an administrator must also have the Manage Configuration Policies right or the Management Security policies right. For example, to add a Configuration policy to a group, an administrator must have the following two rights: Modify Group Membership (this right) Manage Configuration Policies
Modify Folders	Rename a policy folder Change a policy folder’s description
Create/Delete Folders	Create a policy folder Delete a policy folder Move a policy folder	Setting the Create/Delete Folders right to Allow forces the Modify Folders right to Allow. This means that an administrator who creates a folder also receives rights to modify it.
Author	Create a policy (Sandbox version) For Sandbox policies: Edit settings on a policy’s Summary tab Edit settings on a policy’s Requirements tab Edit settings on a poliy’s Details tab Rename a policy Move a policy Copy system requirements from one policy to another Delete a policy Enable and disable a policy Publish (copy) a policy as a new policy (Sandbox version)	In addition to this right, an administrator must also have the Manage Configuration Policies right or the Management Security policies. For example, to create a Configuration policy, an administrator must have the following two rights: Author (this right) Manage Configuration Policies
Publish	Publish a policy as a new version Edit settings on a policy’s Summary tab Edit settings on a policy’s Requirements tab Edit settings on a poliy’s Details tab Rename a policy Move a policy Copy system requirements from one policy to another Delete a policy Enable and disable a policy Publish (copy) a policy as a new policy (Sandbox version)	Setting the Publish right to Allow forces the Author right to Allow. This means that an administrator who has rights to publish policies also has rights to author policies. In addition to this right, an administrator must also have the Manage Configuration Policies right or the Management Security policies. For example, to publish a Security policy, an administrator must have the following two rights: Publish (this right) Manage Security Policies
Assign Policies	Assign policies to devices, device groups, and device folders Assign policy groups to devices, device groups, and device folders Assign policies to users, user groups, and user folders Assign policy groups to users, user groups, and user folders Remove policy assignments from the objects listed above Remove policy group assignments from the objects listed above	In addition to this right, an administrator must also have the Manage Configuration Policies right or the Management Security policies right and the Device Rights - Assign Policies right or User Rights - Assign Policies right. For example, to assign a Security policy to a device, an administrator must have the following two rights: Assign Policies (this right) Manage Security Policies Device Rights - Assign Policies (for the target device)
Manage Configuration Policies	Access to Windows and Linux Configuration policies	This right enables the Author, Publish, Modify Group Membership, and Assign Policies rights to apply to Windows and Linux Configuration policies. Configuration policies are provided by ZENworks Configuration Management and include the Windows Configuration policies (Browser Bookmarks policy, Dynamic Local User policy, Local File Rights policy, Printer policy, Remote Management policy, Roaming Profile policy, SNMP policy, Windows Group policy, and ZENworks Explorer Configuration policy) and the Linux Configuration policies (External Services policy and Puppet policy).
Manage Security Policies	Access to Windows Security policies (including the Full Disk Encryption policy)	This right enables the Author, Publish, Modify Group Membership, and Assign Policies rights to apply to Windows Security policies.

6.5.16 Quick Task Rights

Quick Tasks are tasks that appear in ZENworks Control Center task lists (for example, Server Tasks, Workstation Tasks, Bundles Tasks, and so forth). When you click a task, either a wizard launches to step you through the task or a dialog box appears in which you enter information to complete the task.

The Quick Tasks Rights dialog box lets you control the selected administrator’s ability to perform specific quick tasks.

Contexts

Specify the Device folders (contexts) that you want the administrator’s Quick Task rights to apply to. To select a folder, click Add to display the Contexts dialog box, browse for and select the folder (or multiple folders), then click OK. The rights also apply to the folder’s subfolders.

Privileges

The Privileges section lets you control the selected administrator’s rights to perform quick tasks associated with the contexts (folders) you selected in the Contexts section.

The following rights are available:

RIGHT	OPERATIONS CONTROLLED BY THE RIGHT	NOTES
Shutdown/Reboot/Wake Up Device	Reboot Shutdown Devices quick task Intel AMT Power Management quick task Wake Up quick task
Execute Processes	Launch Application quick task Run Script quick task Launch Java Application quick task
Refresh ZENworks Adaptive Agent	Refresh Device quick task Refresh Policies quick task
Install/Launch Bundles	Install Bundle quick task Launch Bundle quick task Verify Bundle quick task Uninstall Bundle quick task Distribute Bundle Now quick task
Manage Endpoint Security Settings and Task	Clear ZESM User Defined Password quick task Clear ZESM Local Client Self Defense Settings quick task Clear ZESM Local Firewall Registration Settings quick task FDE – Decommission Full Disk Encryption quick task FDE – Enable Additive User Capturing quick task FDE – Force Device to Send ERI File to Server quick task FDE – Update PBA User quick task
Inventory	Inventory Scan quick task Inventory Wizard quick task
Apply Image	Apply Assigned Imaging Bundle (Action menu) Apply Rule-Based Imaging Bundle (Action menu)
Take Image	Take an image (Action menu)

6.5.17 Remote Management Rights

The Remote Management Rights dialog box lets you control the operations that the selected administrator can perform on remote devices.

Contexts

Specify the Device folders or User folders (contexts) that you want the administrator’s Remote Management rights to apply to. To select a folder, click Add to display the Contexts dialog box, browse for and select the folder (or multiple folders), then click OK. The rights also apply to the folder’s subfolders.

Privileges

The Privileges section lets you grant the administrator rights to perform remote operations for devices and users located within the contexts (folders) you selected in the Contexts section.

The following rights are available:

RIGHT	OPERATIONS CONTROLLED BY THE RIGHT	NOTES
Remote Control	Control a remote device	Setting the Remote Control right to Allow forces the Remote View and Transfer Files rights to Allow. This means that an administrator who can remotely control a device can also remotely view the device and transfer files to and from the device.
Remote View	View a remote device’s desktop
Transfer Files	Transfer files to/from a remote device Create folders on a remote device Create folders on a remote device Delete files and folders on a remote device
Remote Execute	Run executable files with system privileges on a remote device.	Granting Remote Execute rights allows an administrator to execute processes in the system space.
Remote Diagnostics	Run the following diagnostic tools on a remote device: System Information (msinfo32.exe) Computer Management (compmgmt.msc) Services (services.msc) Registry Editor (regedit.exe) Run other administrator-configured diagnostic tools on a remote device	To configure other diagnostic tools to run on a remote device, an administrator must have the Zone Rights – Modify Rights setting.
Unblock Remote Management Service	Reset (unblock) the remote management connection to a device

6.5.18 Reporting Rights

The Reporting Rights dialog box lets you control the selected administrator’s rights to create, delete, execute, or publish reports.

Contexts

Specify the Report folders (contexts) that you want the administrator’s Reporting rights to apply to. To select a folder, click Add to display the Contexts dialog box, browse for and select the folder (or multiple folders), then click OK. The rights also apply to the folder’s subfolders.

Privileges

The Privileges section lets you grant the administrator rights to work with reports associated with the contexts (folders) you selected in the Contexts section.

The following rights are available:

RIGHT	OPERATIONS CONTROLLED BY THE RIGHT	NOTES
Create/Delete Reports	Create reports Delete reports Create report folders Delete report folders Modify reports Copy reports	Setting the Create/Delete Reports right to Allow forces the Execute/Publish Reports right to Allow. This means that an administrator who can create reports can also run the reports. To copy a report, an administrator must have Create/Delete Reports rights in the destination folder.
Execute/Publish Reports	Run reports Schedule reports Manage historical report instances Save reports

RIGHT

OPERATIONS CONTROLLED BY THE RIGHT

NOTES

Create/Delete Reports

Create reports
Delete reports
Create report folders
Delete report folders
Modify reports
Copy reports

Setting the Create/Delete Reports right to Allow forces the Execute/Publish Reports right to Allow. This means that an administrator who can create reports can also run the reports.

To copy a report, an administrator must have Create/Delete Reports rights in the destination folder.

Execute/Publish Reports

Run reports
Schedule reports
Manage historical report instances
Save reports

6.5.19 Subscription Rights

The Subscription Rights dialog box lets you control the selected administrator’s rights to create and delete subscriptions.

The following rights are available:

RIGHT	OPERATIONS CONTROLLED BY THE RIGHT	NOTES
Modify	Rename a subscription Enable a subscription Disable a subscription Edit all subscription details on the Summary page with the following exceptions: Cannot initiate (Run Now) a subscription replication Cannot change the subscription replication schedule Add and remove subscription catalogs Modify existing subscription catalogs
Create/Delete	Create a new subscription Delete a subscription Copy a subscription to create a new subscription Move a subscription to a different folder	Setting the Create/Delete right to Allow forces the Modify right to Allow. In other words, an administrator who creates a subscription automatically receives rights to modify it.
Modify Folders	Rename a subscription folder Change a subscription folder’s description
Create/Delete Folders	Create a subscription folder Delete a subscription folder Move a subscription folder	Setting the Create/Delete Folders right to Allow forces the Modify Folders right to Allow. In other words, an administrator who creates a folder automatically receives rights to modify it.
Run Now	Initiate (Run Now) replication for a subscription Change the subscription replication schedule	The Run Now right allows an administrator to run a subscription. When the subscription runs, it can create bundles, bundle groups and bundle folders. The administrator does not require any separate bundle rights.
Modify Settings	Edit settings on the subscription’s Settings tab

6.5.20 User Rights

The User Rights dialog box lets you control the operations that the selected administrator can perform on users.

Contexts

Specify the User folders (contexts) that you want the administrator’s User rights to apply to. To select a folder, click Add to display the Contexts dialog box, browse for and select the folder (or multiple folders), then click OK. The rights also apply to the folder’s subfolders.

Privileges

The Privileges section lets you grant the selected administrator rights to work with users and folders listed in the Contexts section.

The following rights are available:

RIGHT	OPERATIONS CONTROLLED BY THE RIGHT	NOTES
Modify	Rename a user container Change a user to a test user Change a test user to a non-test user
Modify ZENworks Group Membership	Add users to a ZENworks user group Remove users from a ZENworks user group	In addition to this right, an administrator must also have the ZENworks User Group Rights - Modify ZENworks Group Membership right for the ZENworks user group whose membership is being modified. For example, to add a user to ZENUSERGROUP1, an administrator must have these two rights: Modify ZENworks Group Membership (this right) ZENworks User Group Rights - Modify ZENworks Group Membership right for ZENUSERGROUP1
Assign Bundles	Assign bundles to users, user groups, and user folders Assign bundle groups to users, user groups, and user folders Remove bundle assignments from users, user groups, and user folders Remove bundle group assignments from users, user groups, and user folders	To assign bundles to users, groups, and folders, an administrator needs this right and the Bundle Rights – Assign Bundles right. In other words, the administrator needs Assign Bundles rights for the bundle and the user to which the bundle is being assigned.
Assign Policies	Assign policies to users, user groups, and user folders Assign policy groups to users, user groups, and user folders Remove policy assignments from users, user groups, and user folders Remove policy group assignments from users, user groups, and user folders	To assign policies to users, groups, and folders, an administrator needs this right and the Policy Rights – Assign Policies right and the Policy Rights - Manage Configuration Policies or Policy Rights - Manage Security Policies right. For example, to assign a Security policy to a user, an administrator must have the following three rights: Assign Policies (this right) Policy Rights - Assign Policies Policy Rights - Manage Security Policies

6.5.21 ZENworks User Group Rights

The ZENworks User Group Rights dialog box lets you control the selected administrator’s rights to create, delete, or modify ZENworks user groups.

The following rights are available:

RIGHT	OPERATIONS CONTROLLED BY THE RIGHT	NOTES
Modify Groups	Rename a ZENworks user group Change a ZENworks user group’s description
Create/Delete Groups	Create a ZENworks user group Delete a ZENworks user group	Setting the Create/Delete Groups right to Allow forces the Modify Groups right to Allow. In other words, an administrator who creates a group automatically receives rights to modify it.
Modify ZENworks Group Membership	Add users to a ZENworks user group Remove users from a ZENworks user group	In addition to this right, an administrator must also have the User Rights - Modify ZENworks Group Membership right for the users being added to or removed from the group. For example, to add USER1 to ZENUSERGROUP1, an administrator must have these two rights: Modify ZENworks Group Membership (this right) for ZENUSERGROUP1 User Rights - Modify ZENworks Group Membership right for USER1
Assign Bundles	Assign bundles to a ZENworks user group Assign bundle groups to a ZENworks user group Remove bundle assignments from a ZENworks user group Remove bundle group assignments from a ZENworks user group	To assign bundles to a ZENworks user group, an administrator needs this right and the Bundle Rights – Assign Bundles right. In other words, the administrator needs Assign Bundles rights for the bundle and the ZENworks user group to which the bundle is being assigned.
Assign Policies	Assign policies to a ZENworks user group Assign policy groups to a ZENworks user group Remove policy assignments from a ZENworks user group Remove policy group assignments from a ZENworks user group	To assign policies to a ZENworks user group, an administrator needs this right and the Policy Rights – Assign Policies right and the Policy Rights - Manage Configuration Policies or Policy Rights - Manage Security Policies right. For example, to assign a Security policy to a ZENworks user group, an administrator must have the following three rights: Assign Policies (this right) Policy Rights - Assign Policies Policy Rights - Manage Security Policies

6.5.22 Zone Rights

The Zone Rights dialog box lets you control the administrator’s rights to configure settings in your ZENworks Management Zone.

The following rights are available:

RIGHT	OPERATIONS CONTROLLED BY THE RIGHT	NOTES
Modify User Sources	Change the following settings for a user source: Username and Password Authentication Mechanisms Use SSL Root Context Description Add a user container from a source Remove a user container from a source Rename a user container Replace a user container’s context with another context from the user source Add a connection to a user source Edit a connection’s details (name, address, port) Remove a connection to a user source	A user source is an LDAP directory that contains users that you want to reference in your ZENworks Management Zone. User containers are the LDAP contexts in which users are located.
Create/Delete User Sources	Create a user source Delete a user source	Setting the Create/Delete User Sources right to Allow forces the Modify User Sources right to Allow. In other words, an administrator who creates a user source automatically receives rights to modify it.
Modify Settings	Configure Management Zone settings (Configuration > Management Zone Settings)
Modify Zone Infrastructure	Specify what content is hosted on a device (ZENworks Primary Server or Satellite) Move a device in the server hierarchy Designate a workstation as a Satellite Configure a Satellite Remove a workstation as a Satellite
Configure Registration	Create a registration key Edit a registration key Delete a registration key Rename a registration key Create folders for registration keys Move a registration key from one folder to another Copy a registration key to create a new registration key Create a registration rule Edit a registration rule Delete a registration rule
Create/Delete Local Products	Create local software product definitions from device inventory Add local software product definitions into the ZENworks Knowledgebase Delete local software product definitions Delete local software product definitions
Manage FDE PBA Override	Generate response sequences for overriding the ZENworks PBA used with ZENworks Full Disk Encryption
Delete News Alerts	Delete ZENworks news alerts
Update News Alerts	Generate response sequences for overriding the ZENworks PBA used with ZENworks Full Disk Encryption

6.5.23 Inventory Report Rights

The Inventory Report Rights panel allows you to control an administrator’s rights to edit and run the standard and custom inventory reports.

Each report folder has rights associated with it, governing all the reports within that folder. For example, if you have full rights to a report folder, you can edit a report; but with view/execute rights, you can only see the report and run it. With inventory report rights, you can limit who has access to certain reports and who can edit them. The report folder type, custom or standard, and the report name are listed along with the rights associated with the folder. The choices are Remove All Rights, Assign View/Execute Rights, and Assign Full Rights.

Available Tasks

You can perform the following tasks:

Task	Steps	Additional Details
Remove all rights	Select the report folder. Click Edit > Remove All Rights.	This removes all rights to the folder, so the specified administrator cannot see it.
Assign view/execute rights	Select the report folder. Click Edit > Assign View/Execute Rights.	This allows the specified administrator to view and execute a report in the specified folder, but not to edit, move, or delete a report in that folder.
Assign full rights	Select the report folder. Click Edit > Assign Full Rights.	This gives the specified administrator full rights to create, edit, move, and delete reports. For standard reports, this setting is the same as View/Execute, because you cannot alter a standard report.

For more information on Inventory Report Rights, see Inventory Report Rights in the Asset Inventory Reference.

6.5.24 Asset Management Report Rights

The Asset Management Report Rights panel allows you to control an administrator’s rights to edit and run the standard and custom Asset Management reports.

Each report folder has rights associated with it, governing all the reports within that folder. For example, if you have full rights, you can edit a report; but with view/execute rights, you can only see the report and run it. With asset management report rights, you can limit who has access to certain reports and who can edit them. The report folder type, custom or standard, and the report name are listed along with the rights associated with the folder. The choices are Remove All Rights, Assign View/Execute Rights, and Assign Full Rights.

Available Tasks

You can perform the following tasks:

Task	Steps	Additional Details
Remove all rights	Select the report folder. Click Edit > Remove All Rights.	This removes all rights to the folder, so the specified administrator cannot see it.
Assign view/execute rights	Select the report folder. Click Edit > Assign View/Execute Rights.	This allows the specified administrator to view and execute a report in the specified folder, but not to edit, move, or delete a report in that folder.
Assign full rights	Select the report folder. Click Edit > Assign Full Rights.	This gives the specified administrator full rights to create, edit, move, and delete reports. For standard reports, this setting is the same as View/Execute, because you cannot alter a standard report.

For information on Configuring Asset Management Report Rights, seeConfiguring Report Rightsin the Asset Management Reference.